A consortium of U.S. federal agencies released a notification on Hoplight, a new data collector malware being used by the North Korean cyberespionage group Hidden Cobra (aka Lazuras).
The Department of Homeland Security, FBI, and Department of Defense in its malware analysis report on Hoplight noted it obfuscation plays a large role in the malware's behavior containing 20 malicious executable files, 16 of which are designed to mask activity between the malware and the operator.
“When executed the malware will collect system information about the victim machine including OS Version, Volume Information, and System Time, as well as enumerate the system drives and partitions,” the report states.
The malware is extremely sophisticated and uses proxies to generate fake TLS handshake sessions using valid public SSL certificates, so the network connection is effectively disguised.
Two versions of Hoplight exist “So if the opcode for Keepalive in version 1 is 0xB6C1, the opcode in version 2 will be 0xB6C2,” the report stated.
Hidden Cobra is one of the most prolific state sponsored hacking groups attacking a wide variety of targets. While the group primarily focuses on South Korean, U.S and Japanese targets, the nation’s North Korea considers its primary foes, with an occasional smattering of others like Russia.